Using ALB as an internal LB endpoint for public subnet nodes

Hey, is possible to use internal NLB or ALB for targets in public subnets? I want to use ALB as an internal LB endpoint for nodes in the public subnet ( otherwise it would cost egress costs and I would like to access it via private networking ). Thanks

If I understand your question correctly, the answer is yes. A public subnet isn’t a special thing technicallyas such, it’s just a subnet, but one where you from a security/routing perspective treat it differently than a private subnet.

The thing is… NATGW costs, thats why I am usin g public subnets for egress, but not sure if is possible to have internal ALB with targets in public subnets. I have two VPCs, peering, one public ALB ( ingress ) now I want to have second ALB in other VPC. But thats only for service to service communication. Thanks

Hard to help further without a diagram. What reason for 2 x VPCs etc

All EC2 instances from ASG ( driven by EKS ) have access to the internet via the Public IPv4, so there are no costs for NATGW transfer.

Updated diagram: [

This would allow me to make requests to services in EKS1 internally without paying for internet costs.

I don’t see a reason why PubSubnet2 in VPC2 wouldn’t be able to reach the ALB1Priv in VPC1 :+1:

Like I said, the fact they’re public subnets isn’t relevant. As long as the route table they’re in routes to the opposite VPC via the VPC peering, and all SecurityGroups are correct, should be fine.

There is the notice from the AWS if You select the VPC with public subnet when creating ALB:

You can proceed with this selection; however, to prevent internet traffic from reaching your load balancer, you must choose a private subnet or update this subnet's route table in the VPC console .```

I am not sure what it means honestly.

Hmm. Not come across that before. As long as your security group only allows traffic from the IP CIDR in VPC2, it should be fine.

I think AWS is politely pointing out that you have your application in public subnets which is not recommended. (I know you’re saving money on NATGW, but at a compromised design).

You could put the ALB in VPC1 PrivSubnet1, again, assuming all SGs are correct. VPC2 should still be able to reach it as VPC peering is at the VPC level, not subnet level.

Yes, right, but seems that private subnet requires NatGW, even if there is no EC2 instance, not sure why, otherwise there is a (other) problem with LB

NATGW is not a pre-requisite for routing or for LB

Yes, it makes sense, probably it was some misconfiguration, but the aws alb controller was not been able to create LBs automatically in private subnet…